Carbon Black Cloud Sensor: What happens when a Device is placed in Quarantine?
search cancel

Carbon Black Cloud Sensor: What happens when a Device is placed in Quarantine?

book

Article ID: 285472

calendar_today

Updated On:

Products

Carbon Black Cloud Endpoint Standard (formerly Cb Defense) Carbon Black Cloud Enterprise EDR (formerly Cb Threathunter)

Issue/Introduction

What happens when a Device is placed in Quarantine?

Environment

  • Carbon Black Cloud Console: All Versions
  • Carbon Black Cloud Windows Sensor: All Supported Versions
  • Carbon Black Cloud MacOS Sensor: All Supported Versions
  • Carbon Black Cloud Linux Sensor: Version 2.13 and Later

Resolution

Connections

  • The network filter driver blocks all incoming/outgoing TCP traffic to any IP/ports except for those used to maintain a connection to the Carbon Black Cloud Console
  • Devices will still be able to check in with the Carbon Black Cloud Console for devices status changes. i.e. Switch from Quarantine to Active 

Remote Investigation/Remediation Tools

  • Quarantine mode allows both CB Support and Carbon Black Cloud Administrators to continue investigating a device from the Carbon Black Cloud Console (Investigate Page, Live Response, Live Query, etc..) while reducing the risks involved with allowing a compromised device to access the local network
  • CB Support will still be able to to pull sensor logs from the device while in quarantined mode

Additional Information

  • Windows & Mac: All UDP connections except for those responsible for DNS requests, UDP/53, and DHCP, UDP/67 & UDP/68, will be blocked
  • Linux: All UDP connections except for those responsible for DNS requests i.e. UPD/53 and for DHCP requests i.e. UDP/67 & UPD/68 (for ipv4) and UDP/546 & UDP/547 (for ipv6), will be blocked.
  • DNS/DHCP is allowed to ensure the bilateral communication between the Carbon Black Cloud Console and the quarantined device
  • ARP is allowed to ensure MAC addresses can resolve to to IP addresses
  • ICMP (ping) is allowed
  • Quarantine terminates active sockets that aren't exempt from Quarantine; effectively re-authorizing any existing connections 
  • Windows Filtering Platform API is used to determine traffic type per connection on Windows
  • The types of connections, remote investigation, or remediation tools that are allowed and disallowed in quarantine mode cannot be customized